Websites today are becoming more complex than ever through the introduction of a wide variety of dynamic content designed to enrich the overall Internet experience for users. Dynamic content is achieved through the use of web applications that can custom tailor a website to the user depending on their individual settings and preferences. However, a downside to dynamic content embedded websites is that they expose users to one particular type of security threat that “static” websites do not, cross-site scripting (XSS). XSS attacks focus on the way HTML content is generated and interpreted by a user's browser. It is a common and severe security problem that occurs when a malicious attacker inserts malicious code to a website, in the form of JavaScript, VBScript, ActiveX, HTML or Flash, for execution on user systems. A user may unwittingly activate malicious code embedded in a webpage simply by clicking on a link on the website, opening an e-mail/e-mail attachment or reading an online journal (blog)/message board/guestbook posting. Once activated, this malicious code can do everything from hijacking user accounts, changing user settings, collecting user personal information and stealing user cookies to re-directing users to a malicious server of the attacker's choice.
A number of conventional methods and tools are available for web users to combat XSS attacks. The most simple preventative actions that a user can institute is completely disable scripting languages in their web browser and e-mail client and follow only links from a main website for viewing. The disadvantages with the above approaches are that the user suffers a significant curtailment of the amount of content that he can view and experience on the Internet. Alternatively, the user can use a browser emulating tool to check a website's vulnerability to malicious code implantation before he actually visits the site using his browser. These tools have two main drawbacks: 1. conventional XSS testing tools require the user to know how to create the script that emulates the XSS attacks, and 2. conventional XSS tools cannot be run during the normal course of browsing. In short, the current XSS testing tools require specialized training on the part of the tester and are therefore not user friendly.
In view of the forgoing, a user friendly tool is needed that checks for website susceptibility to cross-site scripting attacks without requiring the user to provide specialized information and that allows a user to initiate a checking operation during the normal course of browsing.